US20120240215A1 - Soc-based device for packet filtering and packet filtering method thereof - Google Patents

Soc-based device for packet filtering and packet filtering method thereof Download PDF

Info

Publication number
US20120240215A1
US20120240215A1 US13/422,672 US201213422672A US2012240215A1 US 20120240215 A1 US20120240215 A1 US 20120240215A1 US 201213422672 A US201213422672 A US 201213422672A US 2012240215 A1 US2012240215 A1 US 2012240215A1
Authority
US
United States
Prior art keywords
packet
rule
chip
owner
transmitted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/422,672
Other versions
US8726362B2 (en
Inventor
InSeon YOO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung SDS Co Ltd
Original Assignee
Samsung SDS Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung SDS Co Ltd filed Critical Samsung SDS Co Ltd
Priority to US13/422,672 priority Critical patent/US8726362B2/en
Assigned to SAMSUNG SDS CO., LTD. reassignment SAMSUNG SDS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: YOO, INSEON
Publication of US20120240215A1 publication Critical patent/US20120240215A1/en
Application granted granted Critical
Publication of US8726362B2 publication Critical patent/US8726362B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

  • Apparatuses and methods consistent with the exemplary embodiments relate a system-on-chip (SOC)-based device which can provide packet filtering and a packet filtering method thereof, and more particularly, to a SOC-based device which can provide packet filtering by setting a firewall to allow or block packets according to a process of a network application, and a packet filtering method thereof.
  • SOC system-on-chip
  • malware As the internet is being widely used, malicious malware of various forms such as worm, Trojan horses, viruses, or DDoS appears and damage by the malware is increasing. Therefore, there is a demand for a method for responding to network attacks to protect information over a network and a relevant device.
  • mobile devices have limited available resources and thus require high speed filtering technology to filter packets at a high speed, while using resources at the minimum.
  • One or more aspects of the exemplary embodiments provide a device which sets a firewall to allow or block packets according to a process of a network application, thereby allowing or blocking all of the packets generated by the process, and a packet filtering method thereof.
  • One or more aspects of the exemplary embodiments provide a device which can more easily perform a firewall setting job with respect to a service desired by a user by providing a configuration helper when setting a rule for packet filtering, and a packet filtering method thereof.
  • a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver.
  • a packet filtering method of a device on which a SOC is mounted and which includes network processes including: identifying, by the device, an owner process of a packet to be transmitted, and transmitting the packet to the SOC only if the owner process of the packet to be transmitted is allowed to transmit the packet to an external device, and filtering, by the SOC, the packet transmitted from the device by applying a rule for packet filtering.
  • a non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method including: identifying an owner process of a packet to be transmitted to an external device, and, only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device, transmitting the packet to a chip that is mounted on the computer and has a packet filtering function.
  • a device including a chip that includes a firewall engine, and a driver, wherein the driver obtains an owner process ID of a packet to be transmitted to an external device and transmits the packet and the owner process ID of the packet to the chip, wherein the firewall engine of the chip filters the packet transmitted from the driver using a rule DB for packet filtering.
  • a non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method including: identifying an owner process of a packet to be transmitted to an external device, obtaining an owner process ID of the packet to be transmitted to the external device, and transmitting the packet to be transmitted to the external device and the owner process ID of the packet to a chip that is mounted on the computer and has a packet filtering function.
  • FIG. 1 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment
  • FIG. 2 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment
  • FIGS. 3A and 3B are flowcharts to explain a packet filtering method of the device 2 according to an exemplary embodiment
  • FIG. 4 is a view to explain a device on which a SOC is mounted according to another exemplary embodiment
  • FIG. 5 is a view to explain a rule setting screen provided by a firewall user interface according to an exemplary embodiment
  • FIG. 6 is a view to explain a function of a configuration helper according to an exemplary embodiment
  • FIG. 7 is a view to explain a rule setting screen to set a basic rule according to an exemplary embodiment
  • FIG. 8 is a view to explain a rule setting screen to set a rule according to a process according to an exemplary embodiment
  • FIG. 9 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment
  • FIG. 10 is a flowchart illustrating a packet filtering method of FIG. 9 according to an exemplary embodiment
  • FIG. 11 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment
  • FIG. 12 is a flowchart illustrating a packet filtering method of the device of FIG. 11 according to an exemplary embodiment.
  • FIG. 13 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • FIG. 1 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment.
  • a device 1 includes a SOC 3 mounted thereon and having a firewall function to filter packets.
  • the device 1 may include at least one application that uses a packet transmitted/received through a network, and each application may include at least one process.
  • a process that uses a certain packet by transmitting the packet to an external device or receiving the packet from the external device is referred to as an “owner process” of the packet.
  • each of the processes is assigned an identification (ID) so that the processes can be distinguished from one another.
  • ID an identification
  • Each packet includes a process ID of an owner process using the packet. Accordingly, the owner process using the packet may be identified by the process ID included in the packet.
  • the SOC 3 may include a network interface card (NIC) and accordingly the device 1 may transmit the packet to the external device through the SOC 3 and may receive the packet from the external device through the SOC 3 .
  • NIC network interface card
  • the SOC 3 may include a storage unit that stores a rule, which is a criterion based on which a packet is determined to be allowed or blocked, and a firewall engine that allows the packet to be transmitted/received or blocks the packet by applying the rule. If the SOC 3 receives a packet from the device 1 in this configuration, the SOC 3 transmits the packet to an external device or blocks the packet by applying a rule database (DB) stored in the SOC. Also, if the SOC 3 receives a packet from an external device, the SOC may transmit the packet to the device 1 or block the packet by applying the rule DB.
  • DB rule database
  • the device 1 may perform the following operations when transmitting a packet to an external device.
  • the device 1 If the SOC 3 includes the NIC and the device 1 transmits/receives the packet with the external device through the NIC, the device 1 identifies the owner process of the packet to be transmitted and transmits the packet to the SOC 3 only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device.
  • the SOC 3 stores a pre-defined rule in the rule DB and allows the packet to be transmitted to the external device or blocks the packet by applying the rule.
  • the SOC 3 may include a firewall engine that is configured in a hardware and/or software level.
  • the device 1 may include a rule DB for each process that defines a packet as being allowed or blocked according to a process. Also, the device 1 obtains the process ID of the owner process included in the packet to be transmitted to the external device, and determines whether the owner process is allowed to transmit the packet to the external device or not by referring to the rule DB for each process. Only if the owner process is allowed to transmit the packet, the device 1 transmits the packet to the SOC 3 .
  • the device 1 does not transmit the packet to the SOC 3 .
  • the device 1 may stop executing the owner process of the packet.
  • the device 1 may perform the following operations when receiving a packet from an external device.
  • the SOC 3 determines whether to allow or block the packet received from the external device by applying the rule DB of the SOC 3 .
  • the SOC 3 transmits the packet to the device 1 only if the packet is allowed to pass as a result of applying the rule.
  • the device 1 includes a rule DB for each process that defines a packet as being allowed or blocked according to a process. Accordingly, the device 1 may apply the rule for each process to the packet received from the SOC 3 prior to transmitting the packet to the owner process.
  • the device 1 If the owner process of the packet received from the SOC 3 is prohibited from receiving as a result of applying the rule for each process, the device 1 does not transmit the packet to the owner process and discards the packet. According to an exemplary embodiment, the device 1 may stop executing the owner process of the discarded packet.
  • the device 1 may provide a rule setting screen to receive a setting of a rule from the user.
  • the rule setting screen may include an area to receive information of at least one of an IP, a protocol, and a port from the user. The rule setting screen will be described later.
  • the device 1 transmits the rule input by the user through the rule setting screen to the SOC 3 , and the SOC 3 may reflect the rule transmitted from the device 1 into the rule DB stored in the storage unit of the SOC 3
  • the device 1 may not transmit the rule for each process to the SOC 3 and may store the rule for each process in a storage unit (not shown) of the device 1 . After that, the device 1 may allow or block the packet according to a process using the rule for each process stored in the storage unit (not shown) of the device 1 .
  • the SOC 3 may include hardware and/or software resources including a central processing unit (CPU), a memory, a memory controller, and a rule DB storage unit.
  • CPU central processing unit
  • the resources necessary for driving programs such as a CPU, a memory, a memory controller, and a rule DB storage unit are not explicitly explained in this specification, it should be understood that the hardware and software resources necessary for driving the programs and operations thereof are included.
  • the firewall engine included in the SOC 3 may include a matcher to match the rule DB and the packet and a firmware to operate the matcher.
  • the matcher and the firmware are not explicitly mentioned, it should be understood that a storage unit to store the firmware and a CPU to load the firmware into a memory are included in the SOC 3 .
  • the device 1 is described as including a certain application or driver, it should be understood that hardware and/or software resources to operate the application or driver are included.
  • the device 1 may be a mobile device such as a smart phone or a personal digital assistant (PDA). However, this is merely an example and the device 1 may be a fixed-type device such as a desktop computer.
  • PDA personal digital assistant
  • FIG. 2 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment.
  • a firewall is realized based on the SOC and is mounted on the device 200 .
  • the device 200 may be divided into an application layer, a kernel layer, a SOC layer, and a NIC layer. Some of these function layers may be omitted or another function layer may be added according to an exemplary embodiment. Also, a detailed element of each function layer may be modified. Therefore, the configuration of FIG. 2 is merely an example and the present disclosure should not be limited to FIG. 2 . Hereinafter, the present disclosure is explained based on the embodiment of FIG. 2 .
  • the application layer may include an application 203 .
  • the application layer is the uppermost function layer of the device 200 and includes the application 203 that uses packet data to be packet-filtered.
  • the application 203 may be at least one of a web browser 203 - 1 , a telnet 203 - 2 , and an FTP server 203 - 3 , and may be one of applications that use predetermined packet data.
  • the kernel layer of the device 200 may transmit information within the packet data received by the device 200 from an external device to the application layer, or may generate packet data according to a request by the application layer and transmit the packet data to an external device.
  • the device 200 includes a TCP/IP driver 215 . Also, if the device 200 uses Windows as an operating system (OS), the device 200 includes a WinSock 213 . Since the operations of the TCP/IP driver 215 and the WinSock 213 are well known, a detailed description thereof is omitted.
  • OS operating system
  • the device 200 may include a driver for using the different protocol, and, if the device 200 uses a different operating system other than the Windows operating system, the device 200 may include an element other than the WinSock 213 .
  • the kernel layer may further include a network driver interface specification (NDIS) 218 , and the NDIS 218 may include an anti-malware SOC miniport driver 217 (hereinafter, referred to as a Thiniport driver').
  • NDIS network driver interface specification
  • Thiniport driver' an anti-malware SOC miniport driver 217
  • the miniport driver 217 may receive the packet data from the application 203 and transmit the packet data to an AP driver 221 , or may receive packet data from the AP driver 221 and transmit the packet data to an upper layer.
  • the miniport driver 217 may filter the packet data according to a process prior to transmitting the packet data to the AP driver 221 . If a rule set according to a process is included among the rules set by the user, the rule is stored in an area managed by the kernel layer. In this exemplary embodiment, the rule for each process may be stored in a rule DB 219 . The rule DB 219 may store only the rule for each process and may further store a rule used for filtering the packet. If the packet data is received from the application 203 , the miniport driver 217 identifies an owner process and determines whether to allow the packet or not by referring to the rule for each process. This operation will be described in detail with reference to FIG. 3 .
  • the SOC mounted on the device 200 of FIG. 2 includes the AP driver 221 , a firewall engine 229 , an NIC driver 228 , and an NIC 231 .
  • the AP driver 221 receives data from the miniport driver 217 and transmits the data to the firewall engine 229 .
  • the firewall engine 229 goes through a packet verification process and performs packet filtering.
  • the packet verification process is to prevent an attack such as Syn Flooding.
  • the firewall engine 229 determines whether to allow or block the packet data by applying a filtering rule to the packet data, and performs filtering, that is, allows or blocks the packet data according to a result of the determining.
  • the SOC includes a rule DB 224 and the firewall engine 229 performs packet filtering using a rule stored in the rule DB 224 .
  • the firewall engine 229 transmits only the packet that is determined to be ‘allowed’ as a result of the packet filtering to the NIC driver 228 .
  • the NIC driver 228 transmits the packet received from the firewall engine 229 to the NIC 231 . After that, the NIC 213 transmits the packet to an external network.
  • the firewall engine 229 transmits only the packet that is determined to be ‘allowed’ as a result of the packet filtering to the AP driver 221 , and the AP driver 221 transmits the packet to the miniport driver 217 .
  • the NIC 231 may transmit the packet data to a packet data network or receive the packet data from the packet data network, and may be mounted in the SOC as a part.
  • the NIC 231 may receive the packet data through a wired or wireless LAN, for example.
  • FIGS. 3A and 3B A packet filtering operation of the above configuration according to an exemplary embodiment will be explained with reference to FIGS. 3A and 3B .
  • FIGS. 3A and 3B are flowcharts to explain a packet filtering method according to an exemplary embodiment. Specifically, FIG. 3A is a flowchart illustrating a packet filtering method if a packet is transmitted to an external device, and FIG. 3B is a flowchart illustrating a packet filtering method if a packet is received from an external device.
  • a packet is generated by the application 203 and is received by the miniport driver 217 prior to being transmitted to the outside of the device 200 in operation S 101 .
  • the miniport driver 217 identifies an owner process of this packet in operation S 103 .
  • the owner process may be identified by a process ID included in the packet.
  • a rule DB for each process may be used. That is, the device 200 may include the rule DB 219 that defines a packet as being allowed or blocked according to a process, and it is determined whether the owner process is allowed to transmit the packet or not according to the rule for each process stored in the rule DB 219 .
  • the miniport driver 217 transmits the packet to the SOC in operation S 107 .
  • the SOC performs packet filtering in operation S 109 .
  • the firewall engine 229 performs packet filtering and allows or blocks the packet according to a result of the packet filtering.
  • the firewall engine 229 may perform filtering by applying a pre-defined rule stored in the rule DB 224 .
  • the miniport driver 217 does not transmit the packet to the SOC in operation S 111 . That is, according to an exemplary embodiment, the miniport driver 217 may discard the packet. In addition, the miniport driver 217 may stop executing the owner process in operation S 113 .
  • Packet filtering may be performed as shown in FIG. 3B if the device 200 receives a packet from an external device.
  • the miniport driver 217 of the device 200 receives a packet form an external device in operation S 201 .
  • the packet may not pass through the SOC according to an exemplary embodiment. If the packet passes through the SOC, the firewall engine 229 of the SOC performs packet filtering and the packet that is allowed to pass by the packet filtering is transmitted to the miniport driver 217 . However, according to an exemplary embodiment, the packet may be transmitted to the miniport driver 217 without being filtered by the firewall engine 229 .
  • the miniport driver 217 identifies an owner process of the packet in operation S 203 .
  • the owner process may be identified by a process ID included in the packet.
  • the rule DB for each process may be used. That is, if the device 200 includes the rule DB 219 , it is determined whether the owner process is allowed to receive the packet or not according to the rule for each process stored in the rule DB 219 .
  • the miniport driver 217 transmits the packet to the owner process in operation S 207 .
  • the miniport driver 217 does not transmit the packet to the owner process in operation S 209 .
  • the miniport driver 217 may discard the packet.
  • the miniport driver 217 may stop executing the owner process in operation S 211 .
  • FIG. 4 is a view to explain a device on which a SOC is mounted according to another exemplary embodiment.
  • the device 200 Comparing the device of FIG. 2 , the device 200 according to the exemplary embodiment of FIG. 4 further includes a firewall user interface (UI) application 201 and an anti-malware (AM) SOC stream interface driver 211 , and the SOC further includes a firewall manager 227 .
  • UI user interface
  • AM anti-malware
  • the other elements and their functions are the same as those of FIG. 2 or similar to those of FIG. 2 .
  • the firewall UI application 201 provides a UI related to a firewall operation.
  • the firewall UI application 201 may provide a firewall operation job, a firewall stopping job, a rule adding job, a rule changing job, a specific rule removing job, an entire rule removing job, a rule state displaying job, a job of outputting a packet log applied to each rule, and a job of changing a basic rule setting.
  • the firewall UI application 201 may receive a rule for packet data filtering from the user, and may display a result of packet data filtering by the firewall engine 229 for the user.
  • the firewall UI application 201 may perform updating with respect to the rule DB 224 .
  • the firewall UI application 201 may display a result of packet filtering for each process by the miniport driver 217 for the user, and may update the rule DB 219 by receiving a rule for each process from the user.
  • the AM SOC stream interface driver 211 may receive data from the firewall UI application 201 and transmit the data to the AP driver 221 of the SOC, and may receive data from the AP driver 221 and transmit the data to the firewall UI application 201 .
  • the firewall manager 227 processes a user command input through the firewall UI application 201 .
  • the firewall manager 227 may add a rule to the rule DB 224 or change the rule DB 224 according to a user command, and may read out a state of the rule DB 224 and transmit the state to the firewall UI application 201 , thereby displaying the current state for the user.
  • firewall UI application 201 Since the other elements than the firewall UI application 201 , the stream interface driver 211 , and the firewall manager 227 or their functions are the same as those of FIG. 2 or similar to those of FIG. 2 , a detailed description is omitted.
  • the user may change a rule setting of the rule DB 219 and/or the rule DB 224 through the firewall UI application 201 as will be described with reference to FIGS. 5 to 8 .
  • FIG. 5 is a view to explain a rule setting screen provided by a firewall user interface according to an exemplary embodiment.
  • the firewall UI application 201 of the device 200 may provide a rule setting screen 500 in order for the user to set the rule DB 219 and/or the rule DB 224 .
  • the device 200 transmits the rule input by the user through the rule setting screen 50 to the SOC, and the SOC may reflect the rule transmitted from the device 200 into the rule DB stored in the storage unit of the SOC.
  • the rule setting screen 500 includes three sub-windows, that is, a basic setting window 510 , a basic rule setting window 520 , and a setting for each process window 530 .
  • the user may select one of the three sub-windows on the rule setting screen 500 to set a rule.
  • FIG. 5 illustrates the basic setting window 510 as selected one.
  • the basic setting window 510 is displayed if the user wishes to allow or block a site corresponding to a certain specific IP address or an IP address of a specific network band.
  • the basic setting window 510 includes an input box 512 to provide a function of a configuration helper 511 and includes input boxes to fill various fields such as a rule name, an IP, a protocol, and a port under the configuration helper 511 .
  • the configuration helper 511 helps a user who knows nothing of the network.
  • the configuration helper 511 provides a list of network applications, and, if at least one network application is selected from among the network applications included in this list by the user, the configuration helper 511 may automatically display at least one of an IP, a protocol, and a port necessary for executing the selected network application on an input box of the corresponding field.
  • a button of the input box 512 of the configuration helper 511 is selected by the user, a menu is displayed as shown in FIG. 6 . If the user selects one of the displayed network applications, the fields such as the rule name, the IP, the protocol, and the port under the configuration helper 511 in FIG. 5 are automatically filled.
  • the list of FIG. 6 includes a messenger, a P2P, game, a protocol such as ftp, http, telnet, ssh, and printer may be included in the list to be selected according to an exemplary embodiment.
  • the configuration helper 511 is provided since general users know nothing of a specific protocol or a port of a specific service. Also, even if a user well knows a network, the user may not know that ports 6891 ⁇ 6900 and ports 41800 ⁇ 41899 should be allowed in order to transmit/receive a file through an MSN messenger until the user finds a relevant document. Therefore, by providing the configuration helper 511 for the general users, the user can easily perform a firewall setting job with respect to a service as he/she wishes.
  • FIG. 7 is a view to explain the rule setting screen 500 to set a basic rule according to an exemplary embodiment.
  • FIG. 7 illustrates the basic rule setting window 520 as selected one.
  • the basic rule is a rule to be applied if a packet that does not conform to the rule set by the user as shown in FIG. 5 is input.
  • the basic rule setting window 520 may include a box 521 that explains a basic rule and a box 522 that displays a current basic rule state, and may include an all block button 523 and an all allow button 524 .
  • the box 521 explaining the basic rule is an explanation box to explain a meaning of a basic rule setting to the user, and the box 522 displaying the current basic rule state displays a state of a currently set basic rule.
  • the basic rule as a basic default value, may be set to allow packets that are transmitted to the outside (outgoing packets) and block packets that are input to the device (incoming packets).
  • the all block button 523 and the all allow button 524 are to set such a basic rule setting as ‘blocking’ or ‘allowing’ all of the outgoing and incoming packets, respectively.
  • Rule setting information input by the user through the basic setting window 510 or the basic rule setting window 520 of the rule setting screen 500 is transmitted to the firewall manager 227 of the SOC through the stream interface driver 211 , and is reflected into the rule DB 224 by the firewall manager 227 , so that the rule DB is updated.
  • FIG. 8 is a view to explain the rule setting screen to set a rule according to a process according to an exemplary embodiment, in which the setting window 530 is selected.
  • the setting for each process window 530 is an area to input a rule for each process that defines a packet as being allowed or blocked according to a process of an application, and may include a process list 531 , a selection box 532 , a block button 533 , and an allow button 534 .
  • the user may set a firewall regarding a process of a certain specific application as ‘allow’ through the setting window 530 , thereby allowing all packets generated by the process to pass, and may set a firewall regarding a process of a certain specific application as ‘block’, thereby blocking all packets generated by the process.
  • rule setting information input by the user through the setting window 530 of the setting screen 500 is reflected into the rule DB 219 by the stream interface driver 211 , so that the rule DB for each process is updated.
  • the rule DB 219 may be updated by the firewall UI application 201 or other element.
  • FIG. 9 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • the rule DB 219 of the kernel layer in the exemplary embodiment of FIG. 9 is optional. Accordingly, it is assumed that the rule DB 219 is not provided in FIG. 9 .
  • Functions or roles of the other elements are the same as those of FIG. 4 or similar to those of FIG. 4 and thus a detailed description is omitted.
  • the miniport driver 217 does not perform receiving the rule DB for each process from the rule DB and comparing the packet and the rule DB. Instead, if the device 200 transmits a packet to an external device for example, the miniport driver 217 receives the packet, identifies an ID of an owner process of the packet, and transmits the process ID to the SOC along with the packet, and the SOC applies the rule DB for each process to the packet.
  • the rule DB 224 further includes a rule DB for each process, and the rule DB for each process includes a rule DB that defines a packet as being allowed or blocked according to a process. Accordingly, if a packet is transmitted to the firewall engine 229 , the firewall engine 229 determines whether the owner process of the packet is allowed to transmit and receive the packet or not according to the rule for each process stored in the rule DB 224 , and allows or blocks the packet according to a result of determining and also may request to stop executing the owner process.
  • FIG. 10 is a flowchart to explain a packet filtering method of the device of FIG. 9 if the device 200 transmits a packet to an external device according to an exemplary embodiment.
  • a packet is generated by a certain application 203 and is transmitted to the miniport driver 217 prior to being transmitted to the outside of the device 200 in operation S 1001 .
  • the miniport driver 217 identifies an owner process of the packet in operation S 1003 .
  • the owner process may be identified by a process ID included in the packet.
  • the identification information may be a process ID for example.
  • the packet and the identification information are transmitted to the firewall engine 229 of the SOC, and the firewall engine 229 determines whether the owner process is allowed to transmit the packet to the external device in operation S 1007 .
  • the rule DB for each process may be used. That is, the rule DB 224 may include a rule that defines a packet as being allowed or blocked according to a process, and it is determined whether the owner process is allowed to transmit the packet or not according to the rule for each process.
  • the firewall engine 229 performs packet filtering in operation S 1009 . That is, a filtering job, such as determining whether to allow or block the packet according to the packet filtering rule stored in the rule DB 224 , may be performed, and the packet is allowed or blocked according to a result of the determining.
  • the packet filtering operation (operation S 1009 ) may be performed before the determining operation (operation S 1007 ). That is, the determining operation (S 1007 ) may be performed with respect to only the packet that passes through the packet filtering operation.
  • the firewall engine 229 does not transmit the packet to the NIC driver 228 in operation S 1011 . According to an exemplary embodiment, the firewall engine 229 may discard the packet. In addition, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S 1013 .
  • FIG. 11 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • NIC driver 228 Comparing the device of FIG. 9 , locations of the NIC driver 228 and the NIC 231 provided in order for the device 200 to communicate with an external device are different. Referring to FIG. 11 , the NIC 231 is located on a body of the device 200 rather than the SOC and the NIC driver 228 is also located on the NDIS 218 of the kernel layer. Functions or roles of the other elements are the same as those of FIG. 9 or similar to those of FIG. 9 and thus a detailed description is omitted.
  • a packet that is transmitted to an external device from the device 200 or a packet that is received by the device 200 from an external device may be transmitted to the miniport driver 217 .
  • the miniport driver 217 identifies an ID of an owner process of each of the packets transmitted or received and transmits the process ID to the SOC along with the packet, and the SOC applies the rule DB for each process to the packet.
  • FIG. 12 is a flowchart to explain a packet filtering method of the device of FIG. 11 according to an exemplary embodiment.
  • a packet transmitted or received is transmitted to the miniport driver 217 in operation S 1201 , and the miniport driver 217 identifies an owner process of the packet in operation S 1203 .
  • the owner process may be identified by a process ID included in the packet.
  • the identification information may be a process ID for example.
  • the packet and the identification information (for example, a process ID) is transmitted to the firewall engine 229 of the SOC, and the firewall engine 229 determines whether the owner process is allowed to transmit or receive the packet or not using the rule DB for each process in operation S 1207 . That is, if the packet is to be transmitted to an external device, it is determined whether the owner process of the packet is allowed to transmit the packet or not, and, if the packet is received from an external device, it is determined whether the owner process of the packet is allowed to receive the packet or not.
  • the firewall engine 229 determines whether the owner process is allowed to transmit or receive the packet or not using the rule DB for each process in operation S 1207 . That is, if the packet is to be transmitted to an external device, it is determined whether the owner process of the packet is allowed to transmit the packet or not, and, if the packet is received from an external device, it is determined whether the owner process of the packet is allowed to receive the packet or not.
  • the firewall engine 229 performs packet filtering in operation S 1209 . That is, a packet filtering job may be performed according to the packet filtering rule stored in the rule DB 224 , and the packet is allowed or blocked according to a result of the packet filtering. Alternatively, the packet filtering operation (operation S 1209 ) may be performed before the determining operation (operation S 1207 ).
  • the firewall engine 229 does not transmit the packet to the NIC driver 228 in operation S 1211 . According to an exemplary embodiment, the firewall engine 229 may discard the packet. Additionally, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S 1213 .
  • the firewall engine 229 does not transmit the packet to the application 203 in operation S 1211 . According to an exemplary embodiment, the firewall engine 229 may discard the packet. Additionally, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S 1213 .
  • FIG. 13 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • FIG. 13 is different from FIG. 11 in that the SOC includes only hardware elements. That is, the SOC of FIG. 13 includes the AP driver 221 and the firewall engine 229 to communicate with the kernel layer of the device 200 .
  • the firewall engine 229 may include a memory 241 and a matcher 242 .
  • the memory 241 loads the rule DB stored in the storage device of the device 200 and temporarily stores the rule DB, and may be a volatile storage device.
  • the matcher 242 may determine whether to allow or block a packet by comparing the packet and the packet filtering rule of the rule DB and/or the rule for each process. Functions or roles of the other elements are same as those of FIG. 11 or similar to those of FIG. 11 and THUS a detailed description thereof is omitted.
  • a packet filtering operation of the device of FIG. 13 is the same as that of FIG. 12 or similar to that of FIG. 12 .
  • the rule DB 219 stored in the storage device of the device 200 is loaded into the memory 241 of the SOC.
  • the miniport driver 217 identifies an ID of an owner process of each of packets transmitted or received and transmits the process ID to the SOC along with the packet, and the firewall engine 229 of the SOC applies the packet filtering rule including the rule for each process.
  • the packet is set to be allowed or blocked or execution of the process itself is stopped in the unit of ‘process’ of an application (program) in the above exemplary embodiments
  • the above operation may be performed in the unit of program other than a process.
  • an owner program of the packet may be identified and execution of the program may be stopped. That is, the above-described embodiments may be included in the present disclosure even if the ‘process’ is substituted with a ‘program’.
  • the embodiments described above may be realized by a computer readable code on a computer readable recording medium.
  • the computer readable recording medium includes all kinds of recording apparatuses that store data readable by a computer system. Examples of the computer readable recording medium are a read only memory (ROM), a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy-disk, and an optical data storage device, and also may include a storage device realized in a format of a carrier wave (for example, transmission through the internet).
  • the computer readable recording medium is distributed over a computer system connected through a network and may store and execute a code readable by a computer in a distributed manner.
  • a firewall is set to allow or block packets according to a process of a network application, thereby allowing or blocking all of the packets generated by a process.
  • a firewall setting job can be more easily performed with respect to a service desired by a user by providing the configuration helper when setting the rule for packet filtering.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

Provided is a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver.

Description

    CROSS-REFERENCE TO RELATED PATENT APPLICATION
  • This application claims benefit from U.S. Provisional Patent Application No. 61/453,290, filed on Mar. 16, 2011 in the United States Patent and Trademark Office, the disclosure of which is incorporated herein by reference in its entirety.
    • BACKGROUND
  • 1. Field
  • Apparatuses and methods consistent with the exemplary embodiments relate a system-on-chip (SOC)-based device which can provide packet filtering and a packet filtering method thereof, and more particularly, to a SOC-based device which can provide packet filtering by setting a firewall to allow or block packets according to a process of a network application, and a packet filtering method thereof.
  • 2. Description of the Related Art
  • As the internet is being widely used, malicious malware of various forms such as worm, Trojan horses, viruses, or DDoS appears and damage by the malware is increasing. Therefore, there is a demand for a method for responding to network attacks to protect information over a network and a relevant device.
  • In particular, mobile devices have limited available resources and thus require high speed filtering technology to filter packets at a high speed, while using resources at the minimum.
    • SUMMARY
  • One or more aspects of the exemplary embodiments provide a device which sets a firewall to allow or block packets according to a process of a network application, thereby allowing or blocking all of the packets generated by the process, and a packet filtering method thereof.
  • One or more aspects of the exemplary embodiments provide a device which can more easily perform a firewall setting job with respect to a service desired by a user by providing a configuration helper when setting a rule for packet filtering, and a packet filtering method thereof.
  • According to an aspect of an exemplary embodiment, there is provided a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver.
  • According to an aspect of another exemplary embodiment, there is provided a packet filtering method of a device on which a SOC is mounted and which includes network processes, the packet filtering method including: identifying, by the device, an owner process of a packet to be transmitted, and transmitting the packet to the SOC only if the owner process of the packet to be transmitted is allowed to transmit the packet to an external device, and filtering, by the SOC, the packet transmitted from the device by applying a rule for packet filtering.
  • According to an aspect of still another exemplary embodiment, there is provided a non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method including: identifying an owner process of a packet to be transmitted to an external device, and, only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device, transmitting the packet to a chip that is mounted on the computer and has a packet filtering function.
  • According to an aspect of still another exemplary embodiment, there is provided a device including a chip that includes a firewall engine, and a driver, wherein the driver obtains an owner process ID of a packet to be transmitted to an external device and transmits the packet and the owner process ID of the packet to the chip, wherein the firewall engine of the chip filters the packet transmitted from the driver using a rule DB for packet filtering.
  • According to an aspect of still another exemplary embodiment, there is provided a non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method including: identifying an owner process of a packet to be transmitted to an external device, obtaining an owner process ID of the packet to be transmitted to the external device, and transmitting the packet to be transmitted to the external device and the owner process ID of the packet to a chip that is mounted on the computer and has a packet filtering function.
  • Additional aspects and advantages of the exemplary embodiments will be set forth in the detailed description, will be obvious from the detailed description, or may be learned by practicing the exemplary embodiments.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other features and advantages will become more apparent by describing in detail exemplary embodiments with reference to the attached drawings in which:
  • FIG. 1 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment;
  • FIG. 2 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment;
  • FIGS. 3A and 3B are flowcharts to explain a packet filtering method of the device 2 according to an exemplary embodiment;
  • FIG. 4 is a view to explain a device on which a SOC is mounted according to another exemplary embodiment;
  • FIG. 5 is a view to explain a rule setting screen provided by a firewall user interface according to an exemplary embodiment;
  • FIG. 6 is a view to explain a function of a configuration helper according to an exemplary embodiment;
  • FIG. 7 is a view to explain a rule setting screen to set a basic rule according to an exemplary embodiment;
  • FIG. 8 is a view to explain a rule setting screen to set a rule according to a process according to an exemplary embodiment;
  • FIG. 9 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment;
  • FIG. 10 is a flowchart illustrating a packet filtering method of FIG. 9 according to an exemplary embodiment;
  • FIG. 11 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment;
  • FIG. 12 is a flowchart illustrating a packet filtering method of the device of FIG. 11 according to an exemplary embodiment; and
  • FIG. 13 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
    •  DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
  • Exemplary embodiments will now be described more fully with reference to the accompanying drawings to clarify aspects, features and advantages of the inventive concept. The exemplary embodiments may, however, be embodied in many different forms and should not be construed as limited to the exemplary embodiments set forth herein. Rather, the exemplary embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the application to those of ordinary skill in the art. It will be understood that when an element, layer or region is referred to as being “on” another element, layer or region, the element, layer or region can be directly on another element, layer or region or intervening elements, layers or regions.
  • The terms used herein are for the purpose of describing particular exemplary embodiments only and are not intended to be limiting. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, do not preclude the presence or addition of one or more other components.
  • Hereinafter, exemplary embodiments will be described in greater detail with reference to the accompanying drawings. The matters defined in the description, such as detailed construction and elements, are provided to assist in a comprehensive understanding of the exemplary embodiments. However, it is apparent that the exemplary embodiments can be carried out by those of ordinary skill in the art without those specifically defined matters. In the description of the exemplary embodiment, certain detailed explanations of related art are omitted when it is deemed that they may unnecessarily obscure the essence of the inventive concept.
  • FIG. 1 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment.
  • Referring to FIG. 1, a device 1 according to an exemplary embodiment includes a SOC 3 mounted thereon and having a firewall function to filter packets.
  • The device 1 may include at least one application that uses a packet transmitted/received through a network, and each application may include at least one process. For convenience of explanation, a process that uses a certain packet by transmitting the packet to an external device or receiving the packet from the external device is referred to as an “owner process” of the packet. According to an exemplary embodiment, each of the processes is assigned an identification (ID) so that the processes can be distinguished from one another. Each packet includes a process ID of an owner process using the packet. Accordingly, the owner process using the packet may be identified by the process ID included in the packet.
  • According to an exemplary embodiment, the SOC 3 may include a network interface card (NIC) and accordingly the device 1 may transmit the packet to the external device through the SOC 3 and may receive the packet from the external device through the SOC 3.
  • The SOC 3 may include a storage unit that stores a rule, which is a criterion based on which a packet is determined to be allowed or blocked, and a firewall engine that allows the packet to be transmitted/received or blocks the packet by applying the rule. If the SOC 3 receives a packet from the device 1 in this configuration, the SOC 3 transmits the packet to an external device or blocks the packet by applying a rule database (DB) stored in the SOC. Also, if the SOC 3 receives a packet from an external device, the SOC may transmit the packet to the device 1 or block the packet by applying the rule DB.
  • The device 1 may perform the following operations when transmitting a packet to an external device.
  • If the SOC 3 includes the NIC and the device 1 transmits/receives the packet with the external device through the NIC, the device 1 identifies the owner process of the packet to be transmitted and transmits the packet to the SOC 3 only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device.
  • The SOC 3 stores a pre-defined rule in the rule DB and allows the packet to be transmitted to the external device or blocks the packet by applying the rule. To achieve this, the SOC 3 may include a firewall engine that is configured in a hardware and/or software level.
  • The device 1 may include a rule DB for each process that defines a packet as being allowed or blocked according to a process. Also, the device 1 obtains the process ID of the owner process included in the packet to be transmitted to the external device, and determines whether the owner process is allowed to transmit the packet to the external device or not by referring to the rule DB for each process. Only if the owner process is allowed to transmit the packet, the device 1 transmits the packet to the SOC 3.
  • Also, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device as a result of applying the rule for each process to the packet, the device 1 does not transmit the packet to the SOC 3.
  • Additionally, if the owner process of the packet to be transmitted to the external device is not allowed to transmit the packet to the external device, the device 1 may stop executing the owner process of the packet.
  • The device 1 may perform the following operations when receiving a packet from an external device.
  • If the SOC 3 includes the NIC and receives a packet from an external device through the NIC, the SOC 3 determines whether to allow or block the packet received from the external device by applying the rule DB of the SOC 3.
  • The SOC 3 transmits the packet to the device 1 only if the packet is allowed to pass as a result of applying the rule.
  • According to an exemplary embodiment, the device 1 includes a rule DB for each process that defines a packet as being allowed or blocked according to a process. Accordingly, the device 1 may apply the rule for each process to the packet received from the SOC 3 prior to transmitting the packet to the owner process.
  • If the owner process of the packet received from the SOC 3 is prohibited from receiving as a result of applying the rule for each process, the device 1 does not transmit the packet to the owner process and discards the packet. According to an exemplary embodiment, the device 1 may stop executing the owner process of the discarded packet.
  • The device 1 may provide a rule setting screen to receive a setting of a rule from the user. The rule setting screen may include an area to receive information of at least one of an IP, a protocol, and a port from the user. The rule setting screen will be described later.
  • The device 1 transmits the rule input by the user through the rule setting screen to the SOC 3, and the SOC 3 may reflect the rule transmitted from the device 1 into the rule DB stored in the storage unit of the SOC 3
  • Among the rules input by the user, the device 1 may not transmit the rule for each process to the SOC 3 and may store the rule for each process in a storage unit (not shown) of the device 1. After that, the device 1 may allow or block the packet according to a process using the rule for each process stored in the storage unit (not shown) of the device 1.
  • Although not shown in FIG. 1, the SOC 3 may include hardware and/or software resources including a central processing unit (CPU), a memory, a memory controller, and a rule DB storage unit. Although the resources necessary for driving programs such as a CPU, a memory, a memory controller, and a rule DB storage unit are not explicitly explained in this specification, it should be understood that the hardware and software resources necessary for driving the programs and operations thereof are included. For example, the firewall engine included in the SOC 3 may include a matcher to match the rule DB and the packet and a firmware to operate the matcher. However, although the matcher and the firmware are not explicitly mentioned, it should be understood that a storage unit to store the firmware and a CPU to load the firmware into a memory are included in the SOC 3.
  • Similarly, if the device 1 is described as including a certain application or driver, it should be understood that hardware and/or software resources to operate the application or driver are included.
  • The device 1 may be a mobile device such as a smart phone or a personal digital assistant (PDA). However, this is merely an example and the device 1 may be a fixed-type device such as a desktop computer.
  • FIG. 2 is a view to explain a device on which a SOC is mounted according to an exemplary embodiment. In the exemplary embodiment of FIG. 2, a firewall is realized based on the SOC and is mounted on the device 200.
  • As shown in FIG. 2, the device 200 may be divided into an application layer, a kernel layer, a SOC layer, and a NIC layer. Some of these function layers may be omitted or another function layer may be added according to an exemplary embodiment. Also, a detailed element of each function layer may be modified. Therefore, the configuration of FIG. 2 is merely an example and the present disclosure should not be limited to FIG. 2. Hereinafter, the present disclosure is explained based on the embodiment of FIG. 2.
  • Referring to FIG. 2, the application layer may include an application 203. The application layer is the uppermost function layer of the device 200 and includes the application 203 that uses packet data to be packet-filtered. For example, the application 203 may be at least one of a web browser 203-1, a telnet 203-2, and an FTP server 203-3, and may be one of applications that use predetermined packet data.
  • In the exemplary embodiment of FIG. 2, the kernel layer of the device 200 may transmit information within the packet data received by the device 200 from an external device to the application layer, or may generate packet data according to a request by the application layer and transmit the packet data to an external device.
  • If a transmission control protocol/internet protocol (TCP/IP) is used to transmit/receive packet data as shown in FIG. 2, the device 200 includes a TCP/IP driver 215. Also, if the device 200 uses Windows as an operating system (OS), the device 200 includes a WinSock 213. Since the operations of the TCP/IP driver 215 and the WinSock 213 are well known, a detailed description thereof is omitted.
  • If the device 200 uses a different protocol other than the TCP/IP, the device 200 may include a driver for using the different protocol, and, if the device 200 uses a different operating system other than the Windows operating system, the device 200 may include an element other than the WinSock 213.
  • The kernel layer may further include a network driver interface specification (NDIS) 218, and the NDIS 218 may include an anti-malware SOC miniport driver 217 (hereinafter, referred to as a Thiniport driver').
  • The miniport driver 217 may receive the packet data from the application 203 and transmit the packet data to an AP driver 221, or may receive packet data from the AP driver 221 and transmit the packet data to an upper layer.
  • According to an exemplary embodiment, the miniport driver 217 may filter the packet data according to a process prior to transmitting the packet data to the AP driver 221. If a rule set according to a process is included among the rules set by the user, the rule is stored in an area managed by the kernel layer. In this exemplary embodiment, the rule for each process may be stored in a rule DB 219. The rule DB 219 may store only the rule for each process and may further store a rule used for filtering the packet. If the packet data is received from the application 203, the miniport driver 217 identifies an owner process and determines whether to allow the packet or not by referring to the rule for each process. This operation will be described in detail with reference to FIG. 3.
  • The SOC mounted on the device 200 of FIG. 2 includes the AP driver 221, a firewall engine 229, an NIC driver 228, and an NIC 231.
  • The AP driver 221 receives data from the miniport driver 217 and transmits the data to the firewall engine 229. The firewall engine 229 goes through a packet verification process and performs packet filtering. The packet verification process is to prevent an attack such as Syn Flooding.
  • The firewall engine 229 determines whether to allow or block the packet data by applying a filtering rule to the packet data, and performs filtering, that is, allows or blocks the packet data according to a result of the determining. The SOC includes a rule DB 224 and the firewall engine 229 performs packet filtering using a rule stored in the rule DB 224.
  • If a packet is to be transmitted to the outside of the device 200, the firewall engine 229 transmits only the packet that is determined to be ‘allowed’ as a result of the packet filtering to the NIC driver 228. The NIC driver 228 transmits the packet received from the firewall engine 229 to the NIC 231. After that, the NIC 213 transmits the packet to an external network.
  • If the device 200 receives a packet from an external device, the firewall engine 229 transmits only the packet that is determined to be ‘allowed’ as a result of the packet filtering to the AP driver 221, and the AP driver 221 transmits the packet to the miniport driver 217.
  • The NIC 231 may transmit the packet data to a packet data network or receive the packet data from the packet data network, and may be mounted in the SOC as a part. The NIC 231 may receive the packet data through a wired or wireless LAN, for example.
  • A packet filtering operation of the above configuration according to an exemplary embodiment will be explained with reference to FIGS. 3A and 3B.
  • FIGS. 3A and 3B are flowcharts to explain a packet filtering method according to an exemplary embodiment. Specifically, FIG. 3A is a flowchart illustrating a packet filtering method if a packet is transmitted to an external device, and FIG. 3B is a flowchart illustrating a packet filtering method if a packet is received from an external device.
  • Referring to FIG. 3A, a packet is generated by the application 203 and is received by the miniport driver 217 prior to being transmitted to the outside of the device 200 in operation S101.
  • The miniport driver 217 identifies an owner process of this packet in operation S103. According to an exemplary embodiment, the owner process may be identified by a process ID included in the packet.
  • It is determined whether the owner process is allowed to transmit the packet to the outside in operation S105. In this determining operation, a rule DB for each process may be used. That is, the device 200 may include the rule DB 219 that defines a packet as being allowed or blocked according to a process, and it is determined whether the owner process is allowed to transmit the packet or not according to the rule for each process stored in the rule DB 219.
  • If it is determined that the owner process is allowed to transmit the packet in operation S105, the miniport driver 217 transmits the packet to the SOC in operation S107.
  • If the SOC receives the packet from the device 200, the SOC performs packet filtering in operation S109. For example, the firewall engine 229 performs packet filtering and allows or blocks the packet according to a result of the packet filtering. At this time, the firewall engine 229 may perform filtering by applying a pre-defined rule stored in the rule DB 224.
  • On the other hand, if it is determined that the owner process is not allowed to transmit the packet in operation S105, the miniport driver 217 does not transmit the packet to the SOC in operation S111. That is, according to an exemplary embodiment, the miniport driver 217 may discard the packet. In addition, the miniport driver 217 may stop executing the owner process in operation S113.
  • Packet filtering may be performed as shown in FIG. 3B if the device 200 receives a packet from an external device.
  • Referring to FIG. 3B, the miniport driver 217 of the device 200 receives a packet form an external device in operation S201. Although the packet is transmitted to the miniport driver 217 through the SOC in the embodiment of FIG. 2, the packet may not pass through the SOC according to an exemplary embodiment. If the packet passes through the SOC, the firewall engine 229 of the SOC performs packet filtering and the packet that is allowed to pass by the packet filtering is transmitted to the miniport driver 217. However, according to an exemplary embodiment, the packet may be transmitted to the miniport driver 217 without being filtered by the firewall engine 229.
  • The miniport driver 217 identifies an owner process of the packet in operation S203. According to an exemplary embodiment, the owner process may be identified by a process ID included in the packet.
  • It is determined whether the owner process is allowed to receive the packet in operation S205. In this determining operation, the rule DB for each process may be used. That is, if the device 200 includes the rule DB 219, it is determined whether the owner process is allowed to receive the packet or not according to the rule for each process stored in the rule DB 219.
  • If it is determined that the owner process is allowed to receive the packet in operation S205, the miniport driver 217 transmits the packet to the owner process in operation S207.
  • However, if it is determined that the owner process is not allowed to receive the packet in operation S205, the miniport driver 217 does not transmit the packet to the owner process in operation S209. According to an exemplary embodiment, the miniport driver 217 may discard the packet. In addition, the miniport driver 217 may stop executing the owner process in operation S211.
  • FIG. 4 is a view to explain a device on which a SOC is mounted according to another exemplary embodiment.
  • Comparing the device of FIG. 2, the device 200 according to the exemplary embodiment of FIG. 4 further includes a firewall user interface (UI) application 201 and an anti-malware (AM) SOC stream interface driver 211, and the SOC further includes a firewall manager 227. The other elements and their functions are the same as those of FIG. 2 or similar to those of FIG. 2.
  • The firewall UI application 201 provides a UI related to a firewall operation. For example, the firewall UI application 201 may provide a firewall operation job, a firewall stopping job, a rule adding job, a rule changing job, a specific rule removing job, an entire rule removing job, a rule state displaying job, a job of outputting a packet log applied to each rule, and a job of changing a basic rule setting.
  • The firewall UI application 201 may receive a rule for packet data filtering from the user, and may display a result of packet data filtering by the firewall engine 229 for the user. The firewall UI application 201 may perform updating with respect to the rule DB 224.
  • According to an exemplary embodiment, the firewall UI application 201 may display a result of packet filtering for each process by the miniport driver 217 for the user, and may update the rule DB 219 by receiving a rule for each process from the user.
  • The AM SOC stream interface driver 211 (hereinafter, referred to as a ‘stream interface driver’) may receive data from the firewall UI application 201 and transmit the data to the AP driver 221 of the SOC, and may receive data from the AP driver 221 and transmit the data to the firewall UI application 201.
  • The firewall manager 227 processes a user command input through the firewall UI application 201. For example, the firewall manager 227 may add a rule to the rule DB 224 or change the rule DB 224 according to a user command, and may read out a state of the rule DB 224 and transmit the state to the firewall UI application 201, thereby displaying the current state for the user.
  • Since the other elements than the firewall UI application 201, the stream interface driver 211, and the firewall manager 227 or their functions are the same as those of FIG. 2 or similar to those of FIG. 2, a detailed description is omitted.
  • In the configuration of FIG. 4, the user may change a rule setting of the rule DB 219 and/or the rule DB 224 through the firewall UI application 201 as will be described with reference to FIGS. 5 to 8.
  • FIG. 5 is a view to explain a rule setting screen provided by a firewall user interface according to an exemplary embodiment.
  • According to an exemplary embodiment, the firewall UI application 201 of the device 200 may provide a rule setting screen 500 in order for the user to set the rule DB 219 and/or the rule DB 224.
  • The device 200 transmits the rule input by the user through the rule setting screen 50 to the SOC, and the SOC may reflect the rule transmitted from the device 200 into the rule DB stored in the storage unit of the SOC.
  • Referring to FIG. 5, the rule setting screen 500 includes three sub-windows, that is, a basic setting window 510, a basic rule setting window 520, and a setting for each process window 530. The user may select one of the three sub-windows on the rule setting screen 500 to set a rule. Among these, FIG. 5 illustrates the basic setting window 510 as selected one.
  • The basic setting window 510 is displayed if the user wishes to allow or block a site corresponding to a certain specific IP address or an IP address of a specific network band.
  • In the exemplary embodiment of FIG. 5, the basic setting window 510 includes an input box 512 to provide a function of a configuration helper 511 and includes input boxes to fill various fields such as a rule name, an IP, a protocol, and a port under the configuration helper 511.
  • The configuration helper 511 helps a user who knows nothing of the network. According to an exemplary embodiment, the configuration helper 511 provides a list of network applications, and, if at least one network application is selected from among the network applications included in this list by the user, the configuration helper 511 may automatically display at least one of an IP, a protocol, and a port necessary for executing the selected network application on an input box of the corresponding field.
  • For example, if a button of the input box 512 of the configuration helper 511 is selected by the user, a menu is displayed as shown in FIG. 6. If the user selects one of the displayed network applications, the fields such as the rule name, the IP, the protocol, and the port under the configuration helper 511 in FIG. 5 are automatically filled.
  • Although the list of FIG. 6 includes a messenger, a P2P, game, a protocol such as ftp, http, telnet, ssh, and printer may be included in the list to be selected according to an exemplary embodiment.
  • The configuration helper 511 is provided since general users know nothing of a specific protocol or a port of a specific service. Also, even if a user well knows a network, the user may not know that ports 6891˜6900 and ports 41800˜41899 should be allowed in order to transmit/receive a file through an MSN messenger until the user finds a relevant document. Therefore, by providing the configuration helper 511 for the general users, the user can easily perform a firewall setting job with respect to a service as he/she wishes.
  • Referring back to FIG. 5, the various fields under the configuration helper 511 will be explained:
      • Rule Name: Field to input a name of a rule.
      • Internet Protocol: Field to set an IP to which a rule is applied. In an exemplary embodiment, the IP field may be set in the following type:
  • IP field Meaning
    192.168.0.1 Designating a specific
    network band
    192.168.0.* Designating a specific
    network band
    192.168.*.* Designating a specific
    network band
    192.***.* Designating a specific
    network band
    *.*.*.* Meaning all IPs
    * Meaning all IPs
    Blank Meaning all IPs
    192.168.0.0/255.255.255.0 Designating a specific
    network band
    192.168.0.10/255.255.255.224 Designating a specific
    network band
    (subnet is used)
    192.168.0.20/24 Designating a specific
    network band
    192.168.0.30/27 Designating a specific
    network band
    (subnet is used)
    FDEC:BA98:0074:3210:000F:BBFF:0000:2345 Meaning IPv6 IP
    FDEC:BA98:74:3210:F:BBFF:0:2345 Meaning IPv6 IP
    FDEC:BA98:74:3210:F:BBFF:0:FFFF/26 Meaning a IPv6 specific
    network band
      • In the input example of table 1, the mark ‘*’ may be used as in 192.168.*.*'. The mark ‘192.168.*.*’ is the same as the mark ‘192.168.0.0/255.255.0.0’ or ‘192.168.0.0/16’ in that it means a specific network band. However, general users may understand ‘192.168.*.*’ more easily than ‘192.168.0.0/255.255.0.0’ or ‘192.168.0.0/16’, and thus ‘192.168.*.*’ is allowed in this exemplary embodiment.
      • However, if a network band is designated by the mark 192.168.*., a sub-netmask cannot be designated. Therefore, the marks ‘192.168.0.0/255.255.0.0’ or ‘192.168.0.0/16’ may be used in parallel. Also, in the input example of table 1, the netmask field does not exist and instead it is incorporated into the IP field. The user may know an IP and a port, even if he/she knows nothing of the network. However, it is highly likely that the user who knows nothing of the network does not know the meaning of the netmask.
      • Protocol: Field to set a protocol to which a rule is applied. In an exemplary embodiment, if a protocol button is pressed, a menu list such as ‘ALL’, ‘TOP’, ‘UDP’, and ‘ICMP’ may be displayed. Besides the basic protocols, other protocols may be supported.
      • Port: Field to set a port to which a rule is applied. The user may input directly or may select by pressing a menu button. If the menu button is pressed, a protocol character string such as ftp, http, telnet, ssh is displayed. If one of these is selected, a minimum port number and a maximum port number may automatically enter or may be input by the user.
      • Direction: Field to designate a direction of a packet to which a rule is applied. In an exemplary embodiment, if a button is pressed, a menu list such as ‘ALL’, ‘In→Out’, ‘Out→In’ may be displayed. ‘In→Out’ means that a rule is applied to only a packet that is transmitted to the outside of the device 200, ‘Out→In’ means that a rule is applied to only a packet that is received by the device 200, and ‘ALL’ means that a rule is applied to all of the packets transmitted and received.
      • Local Device: Field to set a network interface IP to which a rule is applied. For example, if the device 200 includes two NICs and a rule is to be applied to a packet input through a specific NIC, an IP of the specific NIC is entered in this field. If a button of this field is pressed, ‘ALL’ or an IP list of a local device is displayed to be selected.
      • MAC Address: Field to set a MAC address to which a rule is applied.
      • Action: Field to set what action is to be taken if a packet matched with a rule is input. The action may include ‘Nothing’, ‘Allow’, ‘Block’, and ‘Logging’. The ‘Logging’ is a function of leaving a record of a log regarding a packet to which a rule is applied.
  • Referring to FIG. 7, a method of setting a basic rule according to an exemplary embodiment will be explained. FIG. 7 is a view to explain the rule setting screen 500 to set a basic rule according to an exemplary embodiment. FIG. 7 illustrates the basic rule setting window 520 as selected one.
  • The basic rule is a rule to be applied if a packet that does not conform to the rule set by the user as shown in FIG. 5 is input. Referring to FIG. 7, the basic rule setting window 520 may include a box 521 that explains a basic rule and a box 522 that displays a current basic rule state, and may include an all block button 523 and an all allow button 524.
  • The box 521 explaining the basic rule is an explanation box to explain a meaning of a basic rule setting to the user, and the box 522 displaying the current basic rule state displays a state of a currently set basic rule.
  • In an exemplary embodiment, the basic rule, as a basic default value, may be set to allow packets that are transmitted to the outside (outgoing packets) and block packets that are input to the device (incoming packets). The all block button 523 and the all allow button 524 are to set such a basic rule setting as ‘blocking’ or ‘allowing’ all of the outgoing and incoming packets, respectively.
  • Rule setting information input by the user through the basic setting window 510 or the basic rule setting window 520 of the rule setting screen 500 is transmitted to the firewall manager 227 of the SOC through the stream interface driver 211, and is reflected into the rule DB 224 by the firewall manager 227, so that the rule DB is updated.
  • FIG. 8 is a view to explain the rule setting screen to set a rule according to a process according to an exemplary embodiment, in which the setting window 530 is selected.
  • The setting for each process window 530 is an area to input a rule for each process that defines a packet as being allowed or blocked according to a process of an application, and may include a process list 531, a selection box 532, a block button 533, and an allow button 534.
  • The user may set a firewall regarding a process of a certain specific application as ‘allow’ through the setting window 530, thereby allowing all packets generated by the process to pass, and may set a firewall regarding a process of a certain specific application as ‘block’, thereby blocking all packets generated by the process.
  • According to an exemplary embodiment, rule setting information input by the user through the setting window 530 of the setting screen 500 is reflected into the rule DB 219 by the stream interface driver 211, so that the rule DB for each process is updated. However, alternatively, the rule DB 219 may be updated by the firewall UI application 201 or other element.
  • FIG. 9 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • Comparing the device of FIG. 4, the rule DB 219 of the kernel layer in the exemplary embodiment of FIG. 9 is optional. Accordingly, it is assumed that the rule DB 219 is not provided in FIG. 9. Functions or roles of the other elements are the same as those of FIG. 4 or similar to those of FIG. 4 and thus a detailed description is omitted.
  • In the exemplary embodiment of FIG. 9, the miniport driver 217 does not perform receiving the rule DB for each process from the rule DB and comparing the packet and the rule DB. Instead, if the device 200 transmits a packet to an external device for example, the miniport driver 217 receives the packet, identifies an ID of an owner process of the packet, and transmits the process ID to the SOC along with the packet, and the SOC applies the rule DB for each process to the packet.
  • That is, in the exemplary embodiment of FIG. 9, the rule DB 224 further includes a rule DB for each process, and the rule DB for each process includes a rule DB that defines a packet as being allowed or blocked according to a process. Accordingly, if a packet is transmitted to the firewall engine 229, the firewall engine 229 determines whether the owner process of the packet is allowed to transmit and receive the packet or not according to the rule for each process stored in the rule DB 224, and allows or blocks the packet according to a result of determining and also may request to stop executing the owner process.
  • Such a packet filtering operation will be explained with reference to FIG. 10.
  • FIG. 10 is a flowchart to explain a packet filtering method of the device of FIG. 9 if the device 200 transmits a packet to an external device according to an exemplary embodiment.
  • Referring to FIG. 10, a packet is generated by a certain application 203 and is transmitted to the miniport driver 217 prior to being transmitted to the outside of the device 200 in operation S1001.
  • The miniport driver 217 identifies an owner process of the packet in operation S1003. According to an exemplary embodiment, the owner process may be identified by a process ID included in the packet.
  • Information identifying the owner process using the packet is generated and transmitted to the SOC along with the packet in operation S1005. At this time, the identification information may be a process ID for example.
  • The packet and the identification information (for example, a process ID) are transmitted to the firewall engine 229 of the SOC, and the firewall engine 229 determines whether the owner process is allowed to transmit the packet to the external device in operation S1007. In this determining operation, the rule DB for each process may be used. That is, the rule DB 224 may include a rule that defines a packet as being allowed or blocked according to a process, and it is determined whether the owner process is allowed to transmit the packet or not according to the rule for each process.
  • If it is determined that the owner process is allowed to transmit the packet in operation S1007, the firewall engine 229 performs packet filtering in operation S1009. That is, a filtering job, such as determining whether to allow or block the packet according to the packet filtering rule stored in the rule DB 224, may be performed, and the packet is allowed or blocked according to a result of the determining.
  • Alternatively, the packet filtering operation (operation S1009) may be performed before the determining operation (operation S1007). That is, the determining operation (S1007) may be performed with respect to only the packet that passes through the packet filtering operation.
  • If the owner process is not allowed to transmit the packet in operation S1007, the firewall engine 229 does not transmit the packet to the NIC driver 228 in operation S1011. According to an exemplary embodiment, the firewall engine 229 may discard the packet. In addition, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S1013.
  • FIG. 11 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • Comparing the device of FIG. 9, locations of the NIC driver 228 and the NIC 231 provided in order for the device 200 to communicate with an external device are different. Referring to FIG. 11, the NIC 231 is located on a body of the device 200 rather than the SOC and the NIC driver 228 is also located on the NDIS 218 of the kernel layer. Functions or roles of the other elements are the same as those of FIG. 9 or similar to those of FIG. 9 and thus a detailed description is omitted.
  • According to the exemplary embodiment of FIG. 11, a packet that is transmitted to an external device from the device 200 or a packet that is received by the device 200 from an external device may be transmitted to the miniport driver 217. Accordingly, the miniport driver 217 identifies an ID of an owner process of each of the packets transmitted or received and transmits the process ID to the SOC along with the packet, and the SOC applies the rule DB for each process to the packet.
  • Such a packet filtering operation will be explained with reference to FIG. 12. FIG. 12 is a flowchart to explain a packet filtering method of the device of FIG. 11 according to an exemplary embodiment.
  • Referring to FIG. 12, a packet transmitted or received is transmitted to the miniport driver 217 in operation S1201, and the miniport driver 217 identifies an owner process of the packet in operation S1203. According to an exemplary embodiment, the owner process may be identified by a process ID included in the packet.
  • Information identifying the owner process using the packet is generated and transmitted to the SOC along with the packet. At this time, the identification information may be a process ID for example.
  • The packet and the identification information (for example, a process ID) is transmitted to the firewall engine 229 of the SOC, and the firewall engine 229 determines whether the owner process is allowed to transmit or receive the packet or not using the rule DB for each process in operation S1207. That is, if the packet is to be transmitted to an external device, it is determined whether the owner process of the packet is allowed to transmit the packet or not, and, if the packet is received from an external device, it is determined whether the owner process of the packet is allowed to receive the packet or not.
  • If it is determined that the owner process is allowed to transmit or receive the packet in operation S1207, the firewall engine 229 performs packet filtering in operation S1209. That is, a packet filtering job may be performed according to the packet filtering rule stored in the rule DB 224, and the packet is allowed or blocked according to a result of the packet filtering. Alternatively, the packet filtering operation (operation S1209) may be performed before the determining operation (operation S1207).
  • If it is determined that the owner process of the packet to be transmitted to the external device is not allowed to transmit the packet in operation S1207, the firewall engine 229 does not transmit the packet to the NIC driver 228 in operation S1211. According to an exemplary embodiment, the firewall engine 229 may discard the packet. Additionally, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S1213.
  • If it is determined that the owner process of the packet received from the external device is not allowed to receive the packet in operation S1207, the firewall engine 229 does not transmit the packet to the application 203 in operation S1211. According to an exemplary embodiment, the firewall engine 229 may discard the packet. Additionally, the firewall engine 229 may transmit a signal to stop executing the owner process to the kernel layer in operation S1213.
  • FIG. 13 is a view to explain a device on which a SOC is mounted according to still another exemplary embodiment.
  • FIG. 13 is different from FIG. 11 in that the SOC includes only hardware elements. That is, the SOC of FIG. 13 includes the AP driver 221 and the firewall engine 229 to communicate with the kernel layer of the device 200. According to an exemplary embodiment, the firewall engine 229 may include a memory 241 and a matcher 242.
  • The memory 241 loads the rule DB stored in the storage device of the device 200 and temporarily stores the rule DB, and may be a volatile storage device. The matcher 242 may determine whether to allow or block a packet by comparing the packet and the packet filtering rule of the rule DB and/or the rule for each process. Functions or roles of the other elements are same as those of FIG. 11 or similar to those of FIG. 11 and THUS a detailed description thereof is omitted.
  • A packet filtering operation of the device of FIG. 13 is the same as that of FIG. 12 or similar to that of FIG. 12. However, prior to performing packet filtering by the firewall engine 229, the rule DB 219 stored in the storage device of the device 200 is loaded into the memory 241 of the SOC. After that, the miniport driver 217 identifies an ID of an owner process of each of packets transmitted or received and transmits the process ID to the SOC along with the packet, and the firewall engine 229 of the SOC applies the packet filtering rule including the rule for each process.
  • Although the packet is set to be allowed or blocked or execution of the process itself is stopped in the unit of ‘process’ of an application (program) in the above exemplary embodiments, the above operation may be performed in the unit of program other than a process. For example, with respect a blocked packet, an owner program of the packet may be identified and execution of the program may be stopped. That is, the above-described embodiments may be included in the present disclosure even if the ‘process’ is substituted with a ‘program’.
  • The embodiments described above may be realized by a computer readable code on a computer readable recording medium. The computer readable recording medium includes all kinds of recording apparatuses that store data readable by a computer system. Examples of the computer readable recording medium are a read only memory (ROM), a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy-disk, and an optical data storage device, and also may include a storage device realized in a format of a carrier wave (for example, transmission through the internet). The computer readable recording medium is distributed over a computer system connected through a network and may store and execute a code readable by a computer in a distributed manner.
  • According to one or more aspects of the exemplary embodiments, a firewall is set to allow or block packets according to a process of a network application, thereby allowing or blocking all of the packets generated by a process.
  • According to one or more aspects of the exemplary embodiments, a firewall setting job can be more easily performed with respect to a service desired by a user by providing the configuration helper when setting the rule for packet filtering.
  • While exemplary embodiments have been particularly shown and described above, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the following claims.

Claims (25)

1. A device comprising:
a chip comprising a firewall engine; and
a driver;
at least one application which uses at least one process associated with at least one packet,
wherein an owner process uses a packet by transmitting the packet to an external device or receiving the packet from an external device,
wherein, if a packet is to be transmitted to a chip, the driver identifies the owner process of the packet, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, and
wherein the chip filters the packet received from the driver by applying a rule for packet filtering.
2. The device as claimed in claim 1, further comprising a storage unit that stores a rule database (DB),
wherein the rule DB stores a rule for each process,
wherein a rule for a process defines a packet as being allowed or blocked according to the process associated with the packet,
wherein, if the packet is to be transmitted, the driver obtains an owner process identification (ID) included in the packet and determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the chip only if the process is allowed to transmit the packet.
3. The device as claimed in claim 1, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the driver does not transmit the packet to the chip.
4. The device as claimed in claim 3, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the driver stops executing the owner process.
5. The device as claimed in claim 1, wherein the chip further comprises a network interface card, and the chip determines whether or not to transmit a packet received through the network interface card to the driver by applying the rule to the packet.
6. The device as claimed in claim 5, wherein the driver identifies an owner process of the packet received from the chip and transmits the packet to the owner process only if the owner process of the packet received from the chip is allowed to receive the packet from an external device.
7. The device as claimed in claim 1, further comprising a firewall user interface that provides a rule setting screen comprising an area for a user to input information identifying at least one from among an internet protocol (IP), a protocol, and a port,
wherein the device converts the information from the user into a rule,
wherein the firewall user interface transmits the rule to the chip, and
wherein the chip performs packet filtering using the rule received from the firewall user interface.
8. The device as claimed in claim 7, wherein the rule setting screen further comprises a configuration helper,
wherein the configuration helper provides a list of network applications, and, if at least one of the network applications is selected by the user, the configuration helper determines if at least one from among an IP, a protocol, and a port is necessary for executing the selected network application and inputs the necessary IP, protocol, or port into the area.
9. The device as claimed in claim 7, wherein the rule setting screen comprises an area to input a process and a rule, and
if a process and a rule are inputted, the rule governs all packets generated by the process.
10. A packet filtering method, the packet filtering method comprising:
identifying, by a device, an owner process of a packet to be transmitted, and transmitting the packet to a system-on-chip (SOC) only if the owner process of the packet to be transmitted is allowed to transmit the packet to an external device; and
filtering, by the SOC, the packet transmitted from the device by applying a rule for packet filtering.
11. The packet filtering method as claimed in claim 10, wherein the device stores a rule database (DB) for each process,
Wherein a rule for a processdefines a packet as being allowed or blocked according to a process associated with the packet,
wherein if the packet is to be transmitted, the device obtains an owner process identification (ID) included in the packet and determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the SOC only if the process is allowed to transmit the packet.
12. The packet filtering method as claimed in claim 10, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the device does not transmit the packet to the SOC.
13. The packet filtering method as claimed in claim 12, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the device stops executing the owner process.
14. The packet filtering method as claimed in claim 10, wherein the SOC further comprises a network interface card, and the SOC performs packet filtering by applying the rule to a packet received through the network interface card.
15. The packet filtering method as claimed in claim 14, wherein the device identifies an owner process of the packet received from the SOC and transmits the packet to the owner process only if the owner process of the packet received from the SOC is allowed to receive the packet.
16. The packet filtering method as claimed in claim 10, further comprising:
providing, by the device, a rule setting screen comprising an area to for a user to input information identifying at least one of an internet protocol (IP), a protocol, and a port;
converting, by the device, the information into a rule; and
transmitting, by the device, the rule to the SOC; and
filtering, by the SOC, the packet using the rule transmitted from the device.
17. The packet filtering method as claimed in claim 16, wherein the rule setting screen further comprises a configuration helper,
wherein the configuration helper provides a list of network applications, and, if at least one of the network applications is selected by the user, the configuration helper determines if at least one of an IP, a protocol, and a port is necessary for executing the selected network application and inputs the necessary IP, protocol, or port into the area.
18. The packet filtering method as claimed in claim 17, wherein the rule setting screen comprises an area to input a process and a rule, and
if a process and a rule are inputted, the rule governs all packets generated by the first process.
19. A non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method comprising:
identifying an owner process of a packet to be transmitted to an external device; and
only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device, transmitting the packet to a chip
wherein the chip is mounted on the computer and has a packet filtering function.
20. A device comprising:
a chip that comprises a firewall engine, and
a driver,
wherein the driver obtains an owner process identification (ID) of a packet to be transmitted to an external device and transmits the packet and the owner process ID of the packet to the chip,
wherein the firewall engine of the chip filters the packet transmitted from the driver using a rule database (DB) for packet filtering.
21. The device as claimed in claim 20, wherein the firewall engine of the chip determines whether a process having the owner process ID transmitted from the driver is allowed to transmit the packet to the external device by applying the rule DB for packet filtering.
22. The device as claimed in claim 20, further comprising a network interface card,
wherein the driver obtains an owner process ID of a packet received through the network interface card and transmits the owner process ID and the packet to the chip.
23. The device as claimed in claim 20, wherein the rule DB comprises a rule for a process,
wherein a rule for a process defines whether a packet is allowed or blocked according to the process associated with the packet.
24. A non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method comprising:
identifying an owner process of a packet to be transmitted to an external device;
obtaining an owner process identification (ID) of the packet to be transmitted to the external device; and
transmitting the packet and the owner process ID to a chip
wherein the chip is mounted on the computer and has a packet filtering function.
25. The non-transitory computer readable storing medium as claimed in claim 24, wherein the method further comprises obtaining an owner process ID of a packet received through a network interface card and transmitting the owner process ID and the packet to the chip.
US13/422,672 2011-03-16 2012-03-16 SOC-based device for packet filtering and packet filtering method thereof Expired - Fee Related US8726362B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/422,672 US8726362B2 (en) 2011-03-16 2012-03-16 SOC-based device for packet filtering and packet filtering method thereof

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201161453290P 2011-03-16 2011-03-16
US13/422,672 US8726362B2 (en) 2011-03-16 2012-03-16 SOC-based device for packet filtering and packet filtering method thereof

Publications (2)

Publication Number Publication Date
US20120240215A1 true US20120240215A1 (en) 2012-09-20
US8726362B2 US8726362B2 (en) 2014-05-13

Family

ID=45841343

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/422,393 Abandoned US20120240186A1 (en) 2011-03-16 2012-03-16 Soc-based device for packet filtering and packet filtering method thereof
US13/422,672 Expired - Fee Related US8726362B2 (en) 2011-03-16 2012-03-16 SOC-based device for packet filtering and packet filtering method thereof

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/422,393 Abandoned US20120240186A1 (en) 2011-03-16 2012-03-16 Soc-based device for packet filtering and packet filtering method thereof

Country Status (5)

Country Link
US (2) US20120240186A1 (en)
EP (2) EP2500838A1 (en)
JP (2) JP5519718B2 (en)
KR (2) KR101404312B1 (en)
CN (2) CN102737177B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140201828A1 (en) * 2012-11-19 2014-07-17 Samsung Sds Co., Ltd. Anti-malware system, method of processing packet in the same, and computing device
US10673890B2 (en) * 2017-05-30 2020-06-02 Akamai Technologies, Inc. Systems and methods for automatically selecting an access control entity to mitigate attack traffic

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9600441B2 (en) * 2013-03-11 2017-03-21 Samsung Electronics Co., Ltd. Apparatus and method for controlling network access for applications on mobile terminals
US9667596B2 (en) 2014-06-04 2017-05-30 Bank Of America Corporation Firewall policy comparison
US9391955B2 (en) * 2014-06-04 2016-07-12 Bank Of America Corporation Firewall policy converter
US9450916B2 (en) * 2014-08-22 2016-09-20 Honeywell International Inc. Hardware assist for redundant ethernet network
CN105791234A (en) * 2014-12-23 2016-07-20 宇龙计算机通信科技(深圳)有限公司 Data sharing method and data sharing apparatus for terminal and terminal
US10489590B2 (en) 2016-03-07 2019-11-26 Chengdu Haicun Ip Technology Llc Processor for enhancing computer security
US10560475B2 (en) 2016-03-07 2020-02-11 Chengdu Haicun Ip Technology Llc Processor for enhancing network security
US10714172B2 (en) 2017-09-21 2020-07-14 HangZhou HaiCun Information Technology Co., Ltd. Bi-sided pattern processor
US11182163B1 (en) * 2018-08-31 2021-11-23 Splunk Inc. Customizable courses of action for responding to incidents in information technology environments
CN109088886B (en) * 2018-09-29 2021-10-01 郑州云海信息技术有限公司 Management method and device for monitoring policy on firewall
KR102156600B1 (en) * 2019-11-20 2020-09-16 (주)케이사인 System and method for creating association between packets collected in network and processes in endpoint computing device
DE102020103546B3 (en) 2020-02-12 2021-07-01 Audi Aktiengesellschaft Method for configuring a network, in particular in a motor vehicle
KR102280845B1 (en) 2020-11-24 2021-07-22 한국인터넷진흥원 Method and apparatus for detecting abnormal behavior in network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6868450B1 (en) * 2000-05-17 2005-03-15 Hewlett-Packard Development Company, L.P. System and method for a process attribute based computer network filter
US20080282339A1 (en) * 2002-08-20 2008-11-13 Nec Corporation Attack defending system and attack defending method
US20090240874A1 (en) * 2008-02-29 2009-09-24 Fong Pong Framework for user-level packet processing

Family Cites Families (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6205552B1 (en) 1998-12-31 2001-03-20 Mci Worldcom, Inc. Method and apparatus for checking security vulnerability of networked devices
KR100383224B1 (en) 2000-05-19 2003-05-12 주식회사 사이젠텍 Linux-Based Integrated Security System for Network and Method thereof, and Semiconductor Device Having These Solutions
AU2002226995A1 (en) 2000-11-28 2002-06-11 4Thpass Inc. Method and system for maintaining and distributing wireless applications
JP2002244755A (en) * 2001-02-16 2002-08-30 Sony Corp Data processing method, semiconductor circuit, and program
JP2003067271A (en) * 2001-08-27 2003-03-07 Hitachi Ltd Integrated management system
KR100557022B1 (en) 2001-10-06 2006-03-03 주식회사 비즈모델라인 Wireless virus protection method and system
US7316029B1 (en) 2001-10-25 2008-01-01 Sprint Communications Company L.P. Network security services architecture
US7373659B1 (en) * 2001-12-20 2008-05-13 Mcafee, Inc. System, method and computer program product for applying prioritized security policies with predetermined limitations
KR20030056652A (en) * 2001-12-28 2003-07-04 한국전자통신연구원 Blacklist management apparatus in a policy-based network security management system and its proceeding method
US7254562B2 (en) 2002-07-11 2007-08-07 Hewlett-Packard Development Company, L.P. Rule-based packet selection, storage, and access method and system
US7467406B2 (en) 2002-08-23 2008-12-16 Nxp B.V. Embedded data set processing
US20100138909A1 (en) * 2002-09-06 2010-06-03 O2Micro, Inc. Vpn and firewall integrated system
US20040059943A1 (en) * 2002-09-23 2004-03-25 Bertrand Marquet Embedded filtering policy manager using system-on-chip
US7308703B2 (en) * 2002-12-18 2007-12-11 Novell, Inc. Protection of data accessible by a mobile device
US20040143751A1 (en) * 2003-01-17 2004-07-22 Cyrus Peikari Protection of embedded processing systems with a configurable, integrated, embedded firewall
US20050216770A1 (en) 2003-01-24 2005-09-29 Mistletoe Technologies, Inc. Intrusion detection system
KR20040090373A (en) 2003-04-15 2004-10-22 주식회사 안철수연구소 Method for realtime monitoring/detecting/curing virus on wireless terminal
JP4222184B2 (en) * 2003-04-24 2009-02-12 日本電気株式会社 Security management support system, security management support method and program
US7549055B2 (en) 2003-05-19 2009-06-16 Intel Corporation Pre-boot firmware based virus scanner
US7971250B2 (en) 2003-10-08 2011-06-28 At&T Intellectual Property I, L.P. System and method for providing data content analysis in a local area network
US20050138416A1 (en) * 2003-12-19 2005-06-23 Microsoft Corporation Object model for managing firewall services
EP1551145A1 (en) * 2003-12-29 2005-07-06 Alcatel Canada Inc. Embedded filtering policy manager using system-on-chip
US7490350B1 (en) * 2004-03-12 2009-02-10 Sca Technica, Inc. Achieving high assurance connectivity on computing devices and defeating blended hacking attacks
US7840763B2 (en) 2004-03-12 2010-11-23 Sca Technica, Inc. Methods and systems for achieving high assurance computing using low assurance operating systems and processes
US7523500B1 (en) 2004-06-08 2009-04-21 Symantec Corporation Filtered antivirus scanning
KR100468374B1 (en) * 2004-07-06 2005-01-31 주식회사 잉카인터넷 Device and method for controlling network harmful traffic
US7418253B2 (en) 2004-07-19 2008-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Method, security system control module and policy server for providing security in a packet-switched telecommunications system
JP2006157313A (en) * 2004-11-26 2006-06-15 Nec Corp Path creation system, path creation apparatus and path creation program
US20070022479A1 (en) 2005-07-21 2007-01-25 Somsubhra Sikdar Network interface and firewall device
JP4641794B2 (en) * 2004-12-28 2011-03-02 富士通株式会社 Packet filter synchronization method and packet relay system
US7839854B2 (en) 2005-03-08 2010-11-23 Thomas Alexander System and method for a fast, programmable packet processing system
US8667106B2 (en) * 2005-05-20 2014-03-04 At&T Intellectual Property Ii, L.P. Apparatus for blocking malware originating inside and outside an operating system
US20060282878A1 (en) * 2005-06-14 2006-12-14 Stanley James C Expression of packet processing policies using file processing rules
US7784094B2 (en) 2005-06-30 2010-08-24 Intel Corporation Stateful packet content matching mechanisms
US8869270B2 (en) 2008-03-26 2014-10-21 Cupp Computing As System and method for implementing content and network security inside a chip
US7970899B2 (en) * 2006-03-03 2011-06-28 Barracuda Networks Inc Integrated data flow packet admission and traffic management apparatus
KR101359324B1 (en) 2006-03-27 2014-02-24 텔레콤 이탈리아 소시에떼 퍼 아찌오니 System for enforcing security policies on mobile communications devices
KR100750377B1 (en) * 2006-05-09 2007-08-17 한정보통신 주식회사 SOC-based network security system and method
JP2007329876A (en) * 2006-06-09 2007-12-20 Canon Inc Device control apparatus and network security method thereof
KR101206542B1 (en) 2006-12-18 2012-11-30 주식회사 엘지씨엔에스 Apparatus and method of securing network of supporting detection and interception of dynamic attack based hardware
CN1997074A (en) * 2006-12-27 2007-07-11 华为技术有限公司 System, device and method for strategy-based routing mode
KR100878895B1 (en) 2007-02-08 2009-01-15 삼성전자주식회사 Mobile device malicious code processing device and processing method
US8416773B2 (en) 2007-07-11 2013-04-09 Hewlett-Packard Development Company, L.P. Packet monitoring
US8079084B1 (en) 2007-08-10 2011-12-13 Fortinet, Inc. Virus co-processor instructions and methods for using such
US7911990B2 (en) * 2007-10-26 2011-03-22 Microsoft Corporation Ad hoc wireless networking
US8037532B2 (en) 2007-12-11 2011-10-11 International Business Machines Corporation Application protection from malicious network traffic
JP5275673B2 (en) * 2008-04-23 2013-08-28 トヨタ自動車株式会社 Multi-core system, vehicle gateway device
US8245296B2 (en) 2008-05-23 2012-08-14 Verizon Patent And Licensing Inc. Malware detection device
JP5176983B2 (en) * 2008-09-22 2013-04-03 富士通株式会社 Filter device, filter program and method
US8146134B2 (en) 2008-10-28 2012-03-27 Yahoo! Inc. Scalable firewall policy management platform
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
CN101895529B (en) * 2010-05-31 2014-05-21 上海网宿科技股份有限公司 A Method for Judging the Process of TCP/IP Packet in Driver Layer
KR101279213B1 (en) * 2010-07-21 2013-06-26 삼성에스디에스 주식회사 Device and method for providing soc-based anti-malware service, and interface method
US8539545B2 (en) * 2010-07-22 2013-09-17 Juniper Networks, Inc. Domain-based security policies

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6868450B1 (en) * 2000-05-17 2005-03-15 Hewlett-Packard Development Company, L.P. System and method for a process attribute based computer network filter
US20080282339A1 (en) * 2002-08-20 2008-11-13 Nec Corporation Attack defending system and attack defending method
US20090240874A1 (en) * 2008-02-29 2009-09-24 Fong Pong Framework for user-level packet processing

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140201828A1 (en) * 2012-11-19 2014-07-17 Samsung Sds Co., Ltd. Anti-malware system, method of processing packet in the same, and computing device
US9306908B2 (en) * 2012-11-19 2016-04-05 Samsung Sds Co., Ltd. Anti-malware system, method of processing packet in the same, and computing device
US10673890B2 (en) * 2017-05-30 2020-06-02 Akamai Technologies, Inc. Systems and methods for automatically selecting an access control entity to mitigate attack traffic
US10673891B2 (en) 2017-05-30 2020-06-02 Akamai Technologies, Inc. Systems and methods for automatically selecting an access control entity to mitigate attack traffic

Also Published As

Publication number Publication date
KR101404312B1 (en) 2014-06-27
US20120240186A1 (en) 2012-09-20
EP2500838A1 (en) 2012-09-19
KR20120106641A (en) 2012-09-26
JP5475041B2 (en) 2014-04-16
JP5519718B2 (en) 2014-06-11
KR20120106640A (en) 2012-09-26
CN102737177A (en) 2012-10-17
EP2501101A1 (en) 2012-09-19
JP2012195943A (en) 2012-10-11
CN102737177B (en) 2016-11-09
US8726362B2 (en) 2014-05-13
KR101339512B1 (en) 2013-12-10
JP2012195940A (en) 2012-10-11
CN102685104A (en) 2012-09-19

Similar Documents

Publication Publication Date Title
US8726362B2 (en) SOC-based device for packet filtering and packet filtering method thereof
US12375565B2 (en) Sub-networks based security method, apparatus and product
US10735511B2 (en) Device and related method for dynamic traffic mirroring
US10554691B2 (en) Security policy based on risk
US20210176211A1 (en) Method and system for restricting transmission of data traffic for devices with networking capabilities
US20190268384A1 (en) Security-on-demand architecture
US20160191568A1 (en) System and related method for network monitoring and control based on applications
CN106464422A (en) Method to enable deep packet inspection (DPI) in openflow-based software defined network (SDN)
US10965789B2 (en) Method and system for updating a whitelist at a network node
Osman et al. Transparent microsegmentation in smart home {IoT} networks
CN104394175A (en) Message access control method based on network marking
EP2680141A1 (en) Security for TCP/IP-based access from a virtual machine to network attached storage by creating dedicated networks, MAC address authentification and data direction control
JP6052692B1 (en) Security management method, program, and security management system
JP5902264B2 (en) Communication control device, communication control system, communication control method, and communication control program
JP6591504B2 (en) Packet filtering device
JP6286314B2 (en) Malware communication control device
KR101466944B1 (en) Method for controlling application data and network device thereof

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG SDS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:YOO, INSEON;REEL/FRAME:027879/0618

Effective date: 20120316

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20220513